Closed kevmoo closed 3 years ago
@TheMisir nice work, I like it 😍 I have two questions:
Not sure if there is a Standard, that we can utilize for the second issue 🤔
First of all the proposal is based on RFC 7235. Because I think it will be much easier to implement authentication to exists un-protected pub servers just by setting up reverse proxies like NGINX which has built-in support for authentication that uses given RFC specs.
- What should the server send for the realm
realm
parameter is optional (is not required to be defined) and currently is not planned to be used in this proposal. Here's more details about "Protection space (relam)" if you want to read more: https://datatracker.ietf.org/doc/html/rfc7235#section-2.2
2. Do you see an option to replace the "Enter Bearer" dynamically based on the provider? For example for Github packages: "Enter your Github personal access token:" is much more user friendly :)
It's possible, but it might add unnecessary additional complexity to the implementation, so I have not included it in proposal doc. We might replace prompts by providing additional parameters in "WWW-Authenticate" header like:
WWW-Authenticate: Bearer prompt="Enter your Github personal access token:"
@TheMisir we'll still need special handling for pub.dartlang.org
and such...
I would also like it if it was possible to make requests with a one-time token, like:
dart pub publish --token <token>
or maybe using an env var..
This could be useful when publishing from CI systems.
Also we could consider dropping basic auth initially. It might not be necessary, and it certainly would make it harder to do one-time authentication as propose above.
We've discussed something like
pub authenticate example.com
This would allow private pub repos to have authenticated access.
We'd also want authentication to be supported for
pub get/update
CC @computmaxer